tags:

views:

257

answers:

6
+8  Q: 

Is there a GOOD reason many web sites won't accept credit cards with spaces and dashes in them?

Is there a technical/legal/financial/contractual/design reason for not accepting credit card numbers with spaces in them?

So many web sites do not allow you to put spaces or dashes in a credit card number. I've always put this up to sloppy programming, but I've used merchant APIs before. If you can figure out how to process a credit card you can figure out how to strip characters from a string. The designers know they're generating a user frustration because they put a warning right on the web site. They're right there on the card! There's even a wall of shame for this.

False laziness, bad programming, callousness, sadism... all these assume the worst in the person doing the code. The most generous I can come up with is they're being really conservative with anything involving money. I've always wondered if there's some Deep And Really Important reason why you should not accept credit card numbers with spaces in them? Why you should absolutely not try to apply any heuristics. Maybe some bizarre financial law dating back to the telegraph age? Maybe they're unsung heroes, protecting us from some unknown evil lest we type in the credit card number of Hastur three times.

A: 

Not everything has a valid reason. I simply think that the first guy who did it didn't allow spaces because it was easier; and then everyone followed and didn't question it.

Andreas Bonini  2009-12-13 20:23:57
Everything has a reason. Not everything has a good or valid reason. :)
brian d foy  2009-12-13 20:24:36
A: 

I don't recall anything in my merchant agreement that stipulated what users had to enter in a form field asking for a credit card number. I don't go to great lengths to normalize it, but I do remove whitespace and hyphens. There are rules about what you can re-display though, but that is merely an amount of content and not the precise form.

You'll see similar things for phone numbers and social security numbers, though, so I don't think it's a credit card number problem.

I mostly think that this is mostly a middleware problem. You have the front-end developed by one group, the backend developed by another, and inbetween there is an off-the-shelf middleware component that nobody likes and everyone has to target. The middleware is written as strictly as possible thinking that it's the responsibility of either side to normalize all data. Then the fingerpointing starts and everyone goes home crying, and you can't use spaces in your credit card number.

brian d foy  2009-12-13 20:24:08
+6  A: 

There really is no good reason other that laziness or time constraints.

Good UI's should adapt to the user and the multiple ways that users think about their data.

It's easy enough for the UI to adapt to the user entering dashes or spaces in the credit card.

Jeffrey Hines  2009-12-13 20:24:20
Yeah, it's just sucky UI. Lump it in with address fields that don't expect you to add commas after the names so you end up with double commas. And date fields that that force you to type "02 09 2009" when 2 9 09 would be just as meaningful and correct. And pages that forget half the details you typed if you get any of the above "wrong".
Jason Williams  2009-12-13 20:45:14
A: 

My first answer would be "to reduce the complexity to the absolute minimum", but I guess you could also argue that it obfuscates the data if there is an attack surface somewhere - a dodgy router / sniffer / man-in-the-middle - "xxxx xxxx xxxx xxxx" is almost certainly a credit card number, but "xxxxxxxxxxxxxxxx" could be a number of things. Of course, that won't hold back much determined hacking, and hopefully is largely mitigated by SSL etc.

I stress, I don't think this is a good reason, but it may be a reason...

Marc Gravell  2009-12-13 20:26:12
Of course that processing could (and should in this case) be done client side, so the formatted version never leaves the machine... But I think sending credit card numbers in plaintext at all is outrageous.
KernelJ  2009-12-13 20:29:58
@KernelJ - who mentioned plaintext? I said SSL.
Marc Gravell  2009-12-13 20:31:30
If your dodgy router is generating valid credit card numbers, put it on EBay and retire. :P
Schwern  2009-12-13 21:00:04
@KernelJ - even if the client-side validates the CC number the server side still needs to run the same validation. You can't control every possible client, but you an control your own server / code.
pygorex1  2009-12-13 21:15:42
A: 

I think its just a matter of laziness and less programing because one can make it accept with AND without dash. or even make different text boxes for each part(using 4 or 5 small text boxes instead of using a giant text box. or maybe its just because people might get confused

Reza  2009-12-13 20:46:46
Oooh, individual boxes is more evil than good due to the disparity in length and layout of credit card numbers. An AmEx card, for example, uses 3 groups. I'm sure you could come up with some sort of clever Javascripty thing that changed the box layout based on the credit card type, but I'm sure you're going to leave some users who won't think to set the type before the number puzzled.
Schwern  2009-12-13 21:04:29
A: 

I've always found this very odd since its trivial to remove non-digits from a string.

This is even more confusing, given that each card type (Visa/MC/Amex/Discover) has a unique encoding using check digits. So when I enter a credit card number and select VISA as the card type an intelligent validator will verify that the number IS a Visa number. So, if you're going to correctly validate a CC number, you're going to have to remove non-digits from any user-supplied string.

There's three main reasons I can think of why the card validation is implemented poorly:

  • Check digit validation that doesn't anticipate non-numbers.
  • A lazy/distressed programmer passes all arguments without pre-validation to a payment gateway and lets the gateway validate the credit card info. A payment gateway is much more rigid with it's argument/data validation then a user interface should be.
  • Misapprehension about the imaginary legal ramifications of modifying user-supplied cc data.
pygorex1  2009-12-13 21:13:43
Actually, the check digit stuff isn't different across cards. Almost all of them use the Luhn algorithm (and that doesn't encode anything). You can tell valid card numbers apart by the first digits, sometimes even identifying the issuing bank.
brian d foy  2009-12-13 21:50:37

related questions

Would you override ScriptControl or BaseValidator for an async ASP.NET validator control?
Handling HttpRequestValidationException gracefully and ASP.net AJAX compatible?
How to Dynamically Generate String Validation?
Validate email address in Javascript?
Data Validation Design Patterns
Strong Validation in WPF
How to evaluate an IP?
Validating a HUGE XML file
Validate (X)HTML in Python
ValidationRule To Enforce Unique Name
Checking if userinput is a valid URI in XUL
XML Parser Validation Report
Email SMTP validator
MVC - where to implement form validation (server-side)?
How do you remove invalid hexadecimal characters from an XML-based data source prior to constructing an XmlReader or XPathDocument that uses the data?
How to check set of files conform to a naming scheme
What's the best way to implement field validation using ASP.NET MVC?
How do I validate xml against a DTD file in Python
What's the best way to validate an XML file against an XSD file?
Problem databinding an ASP.Net AJAX toolkit MaskedEditExtender
Validating posted form data in the ASP.NET MVC framework
Best method for varchar date validation in Sybase (T-SQL)?
How important is W3C XHTML/CSS validation when finalizing work?
How far should one take e-mail address validation?
ASP .Net Custom Client-Side Validation